{"id":16835,"date":"2019-11-07T14:10:05","date_gmt":"2019-11-07T22:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/07\/news-10574\/"},"modified":"2019-11-07T14:10:05","modified_gmt":"2019-11-07T22:10:05","slug":"news-10574","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/07\/news-10574\/","title":{"rendered":"Not us, YOU: vendor email compromise explained"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Thu, 07 Nov 2019 21:49:16 +0000<\/strong><\/p>\n

Silent Starling<\/a>, an online organized criminal group hailing from West Africa, seem to have reminded SMBs and enterprises alike the perils of business email compromise (BEC)<\/a> scams once more. This time, they’ve advanced BEC into a more potent modality by widening the scope of its potential targets and methodically preparing for the attack from timing to execution. Thus, vendor email compromise (VEC) is born.<\/p>\n

If you may recall, BEC is a form of targeted social engineering attack against institutions by baiting certain staff members\u2014usually a CFO or those in the finance, payroll, and human resource departments\u2014who either have access to company monetary accounts or the power to make financial decisions.<\/p>\n

A BEC campaign always starts off with an email, either phishing<\/a> or a spoofed email. Some BEC scams wants money from the get-go while others are more interested in sensitive information, such as W-2 forms.<\/p>\n

BEC is remarkably effective at ensnaring victims. Although it may seem like mere trickery, an impressive level of sophistication is actually put into these campaigns to succeed. In fact, a typical BEC campaign so closely follows the kill chain framework<\/a> used by advanced persistent threats (APTs)<\/a> that it is deemed APT-like. As such, BEC deserves attention worthy of an APT attack. <\/p>\n

So if BEC is already sophisticated enough to warrant APT-level protection, where does that leave businesses hit vendor email compromise?<\/p>\n

BEC changed targets and gets a new name?<\/h3>\n

Before we launch into logistics of how to protect against VEC, let’s rewind and unpack naming conventions. <\/p>\n

It\u2019s true that scam campaigns change targets all the time and on occasion, in a heartbeat. But this particular scam evolution is quite unconventional because the amount of resources required to pull off a highly-successful VEC attack are easily quadruple that of a traditional BEC scam. To look at it another way, threat actors have introduced more friction into their operation instead of removing or minimizing it. However, they’ve also opened up the capacity to inflict far more damage to the target organization and to businesses worldwide.<\/p>\n

While a typical BEC campaign baits one staff member at-a-time to extract money from a targeted organization, a VEC scam doesn\u2019t go after a company for their money. Instead, VEC scammers look to leverage organizations against their own suppliers.<\/p>\n

It\u2019s typical for global brands to have hundreds of thousands of suppliers<\/a> around the world. Proctor & Gamble, for example, has at least 50,000 company partners<\/a>. This translates to at least 50,000 potential victims if VEC scammers can get a foothold in Proctor & Gamble’s systems. And these aren’t 50,000 individuals\u2014it’s 50,000 organizations<\/em> open to compromise.<\/p>\n

This seems like a surefire money-making scheme, but it costs VEC scam operatives much more time and effort to sift through and study communication patterns based on thousands of current and archived email correspondences between the target business and their supply chain.<\/p>\n

Okay, now I\u2019m listening. How does VEC work?<\/h3>\n

According to the Agari Cyber Intelligence Division (ACID), the cybersecurity bod that has been engaging with Silent Starling for a time and recently put out a dossier about the group, the VEC attack chain<\/a> this scam group follows is made up of three key phases.<\/p>\n